home folder encryption

[MiszS]

Will my home folder be encrypted again, after i go to the lock screen in linux mint, and if it wont, what can i do for it to encrypt each time i log out?

[Eigenvektor]

There's a lot of context missing to your question, like what type of encryption you've set up in the first place.

 

When you use disk encryption, data on the disk generally stays encrypted all the time.

 

The decryption key is unlocked and loaded into memory when you sign in. That allows the OS to transparently decrypt data on the fly. Signing out removes the key from memory.

 

The data is only in a decrypted state while loaded into memory, the disk itself is never decrypted (otherwise, that would take a long time, each time you sign in/out)

[MiszS]

4 hours ago, Eigenvektor said:

There's a lot of context missing to your question, like what type of encryption you've set up in the first place.

 

When you use disk encryption, data on the disk generally stays encrypted all the time.

 

The decryption key is unlocked and loaded into memory when you sign in. That allows the OS to transparently decrypt data on the fly. Signing out removes the key from memory.

 

The data is only in a decrypted state while loaded into memory, the disk itself is never decrypted (otherwise, that would take a long time, each time you sign in/out)

ohh, thanks for the explanation, and im not sure what type of encryption is it, i just selected "encrypt home folder" when installing linux mint

[Eigenvektor]

53 minutes ago, MiszS said:

ohh, thanks for the explanation, and im not sure what type of encryption is it, i just selected "encrypt home folder" when installing linux mint

Gotcha. I'm just asking because I'm more familiar with whole disk encryption using LUKS, rather than just encrypting individual folders.

 

But as I said, disk encryption does not decrypt the disk on login and then encrypt it again. That would take an enormous amount of time, especially as the number of files on your system grows larger, because it would have to rewrite every file.

 

Instead data on the disk always stays encrypted. The OS will decrypt/encrypt transparently whenever an app reads or writes data. The encryption key itself is typically encrypted using your account password. So as soon as you sign in, this key gets decrypted⁽¹⁾, and can then in turn be used to access the disk. This also means changing your password only needs to re-encrypt that key, rather than your whole disk, which would otherwise take a ton of time.

 

Just be extra sure to keep (encrypted) backups. Because if your OS ever has issues or goes bye bye, there's the possibility that all data in your home directory is gone/becomes inaccessible. There's always the chance you won't be able to recover it and you will have to rely on backups.

 

1) That also means data on the disk is really only safe as long as your PC is turned off. As long as it's on and/or you're signed in, the key and as such the data is accessible. Any malware running on the system can read it just fine, because the OS will transparently decrypt the data on read. So it'll only really protect you against a stolen disk and makes the most sense for laptops or other portable devices containing sensitive information.

[MiszS]

31 minutes ago, Eigenvektor said:

Gotcha. I'm just asking because I'm more familiar with whole disk encryption using LUKS, rather than just encrypting individual folders.

 

But as I said, disk encryption does not decrypt the disk on login and then encrypt it again. That would take an enormous amount of time, especially as the number of files on your system grows larger, because it would have to rewrite every file.

 

Instead data on the disk always stays encrypted. The OS will decrypt/encrypt transparently whenever an app reads or writes data. The encryption key itself is typically encrypted using your account password. So as soon as you sign in, this key gets decrypted⁽¹⁾, and can then in turn be used to access the disk. This also means changing your password only needs to re-encrypt that key, rather than your whole disk, which would otherwise take a ton of time.

 

Just be extra sure to keep (encrypted) backups. Because if your OS ever has issues or goes bye bye, there's the possibility that all data in your home directory is gone/becomes inaccessible. There's always the chance you won't be able to recover it and you will have to rely on backups.

 

1) That also means data on the disk is really only safe as long as your PC is turned off. As long as it's on and/or you're signed in, the key and as such the data is accessible. Any malware running on the system can read it just fine, because the OS will transparently decrypt the data on read. So it'll only really protect you against a stolen disk and makes the most sense for laptops or other portable devices containing sensitive information.

oh yea i always keep a backup of my personal data on an external hard drive, was asking that since i want to buy a laptop and want it to be as secure as possible, so ig ill just turn it off when im away